The opioid crisis in the US has had a devastating toll, impacting tens of thousands of families.
According to Mitchell Parker, CISO at Indiana University Health, a small part of the human suffering could have potentially been alleviated, if there was better control and security for Electronic Medical Record (EMR) systems. Parker presented his views during a session at the Black Hat USA 2020 virtual conference, where he outlined what has gone wrong with EMR systems and what can be done to make them more secure.
One of the drivers of the opioid crisis was the underhanded manipulation of an EMR system, that is intended to be used to assist physicians in prescribing medications. In January 2020, EMR vendor Practice Fusion was fined $145m by the US Department of Justice for receiving kickback cash payments from an opioid vendor to influence physician prescription activities. Practice Fusion provides a cloud-based EMR that is advertisement supported.
“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker said.
How EMRs Work
Parker explained that an EMR is essentially a digital version of the paper charts found in a doctor’s office, including a patient’s medical treatment history. An EMR allows doctors to track data over time and the system can also be used to identify when preventive screenings and checkups are needed.
In the Practice Fusion case, opioid vendors were buying advertisements to influence physicians, but that’s not the limit of the security risk that exists with EMR systems. Parker noted that while EMR systems need to be certified for use to store patient record data, there are a variety of security holes that certification doesn’t consider.
One risk comes from pretexting attacks, where a criminal claims to be a government regulatory agency or a professional association and calls up medical offices asking staff for information.
“It's not difficult to get personal information using this method,” Parker said.
Parker noted that in his experience many vendors and service providers are doing a reasonably good job protecting against malware and ransomware, but are not protecting against identity theft and manipulation.
How to Improve EMR Security
Among the recommendations that Parker shared to help improve EMR systems is for vendors and users to deploy and enforce two-factor authentication methods for authentication, as well as for prescriptions.
Parker also suggested that medical offices limit access overall to a minimal number of users that can make changes of any type in the EMR. On top of that, he advised EMR vendors to make it easier to provide change reports when changes are made.
Parker noted that smaller medical groups are likely more susceptible to electronic subversion of their critical systems because of a lack of resources. He stated that he wanted to see those smaller groups partner with larger health systems to help manage EMR systems with the right governance and cybersecurity procedures.
“This [Practise Fusion] was a case of a company taking advantage of the fact they knew no one was looking and well, they did what they did with tragic consequences,” Parker said.